System and Method for Analyzing Vulnerability in Software Installed on Iot Device

1. A method of analyzing a vulnerability in software installed on an Internet of things (IoT) device, which is performed by a vulnerability analysis device, the method comprising: acquiring a target binary file extracted from firmware of an IoT device; generating a taint path and transmission information related to the taint path by performing taint analysis on the target binary file; and detecting a vulnerability in the target binary file by performing symbolic execution on the target binary file on the basis of the taint path and the transmission information, wherein the taint path includes a user function, including a user input function that is an internal function of the software or a user library function based on an external library of the software, and wherein the detecting of the vulnerability in the target binary file by performing the symbolic execution on the target binary file further comprises: dividing the generated taint path into blocks; performing symbolic execution on the generated taint path on a block-by-block basis based on the transmission information related to the taint path to calculate state information of each block of the taint path; analyzing block-specific state information to determine the vulnerability of the target binary file; comparing the block-specific state information resulting from the symbolic execution with at least one preset vulnerable pattern to determine whether the block-specific state information corresponds to the compared preset vulnerable pattern; and when the block-specific state information corresponds to the compared preset vulnerable pattern, determining that the target binary file of which the state information has been analyzed has the vulnerability.

2. The method of claim 1, wherein the generating of the taint path and the transmission information related to the taint path comprises: specifying a taint sink in the target binary file; generating a tracking graph by tracking a parameter from the taint sink; determining whether the user function is in the tracking graph and designating the user function as a taint source corresponding to the taint sink; generating a taint path for the target binary file including the taint sink and the taint source; and generating transmission information of the taint path.

3. The method of claim 2, wherein the generating of the taint path and the transmission information related to the taint path further comprises, upon the determination of no taint source in the tracking graph, removing the tracking graph.

4. The method of claim 2, wherein the specifying of the taint sink in the target binary file comprises, when it is determined that a vulnerable function included in a prestored vulnerable function list is used in the target binary file, designating an instruction in which the determined vulnerable function is used as a taint sink.

5. The method of claim 2, wherein the generating of the tracking graph by tracking the parameter from the taint sink comprises: a first operation of processing an instruction corresponding to a position of the taint sink to divide the instruction into a left term and a right term; a second operation of processing one of the left term and right term including an operator to divide the left term or right term into the operator and an argument; a third operation of processing the argument included in the left term or right term to determine whether the argument is a variable or constant; an operation of searching, when the argument is a variable, the target binary file for at least one instruction in which the argument is used as the variable; and an operation of repeating the first operation to the third operation on each found instruction to generate the tracking graph using the instruction having the argument of which analysis has been completed up to an argument level.

6. The method of claim 2, wherein the determining of whether the user function is in the tracking graph and the designating of the user function as the taint source corresponding to the taint sink comprises: designating the user function as the taint source corresponding to the taint sink on the basis of a call function for calling the taint sink and the tracking graph by comparing all call instructions in a function for calling the taint sink with call instructions in the tracking graph; and specifying the taint source corresponding to the taint sink on the basis of a comparison result of the call instructions.

7. The method of claim 6, wherein the determining of whether the user function is in the tracking graph and the designating of the user function as the taint source corresponding to the taint sink further comprises: when the designated taint source includes at least one function in a preset blacklist after the taint source corresponding to the taint sink is designated, canceling designation of the taint source; determining whether the tracking graph includes a different taint source from the canceled taint source; when it is determined that the tracking graph includes the different taint source, redesignating the different taint source as the taint source corresponding to the taint sink; and regenerating the taint path on the basis of the taint sink and the redesignated taint source.

8. The method of claim 1, wherein the transmission information includes one or more of a call function of a taint sink, an address of the call function of the taint sink, a risk stage based on a result of the taint analysis, risk information based on the result of the taint analysis, an address of a taint source, an argument number of a decimal portion, an address of the taint sink, an argument number of the taint sink, and a size of an argument of the taint sink, and the generating of the transmission information related to the taint path comprises generating a risk stage for the taint path on the basis of a preset whitelist and generating risk information of the taint path on the basis of the generated risk stage to generate the risk stage and the risk information in the transmission information.

9. The method of claim 1, wherein the performing of the symbolic execution on the generated taint path on a block-by-block basis comprises: replacing a value at a start point of a block with a symbol to symbolize the taint path on a block-by-block basis; and performing a symbolic execution operation on the taint path symbolized on a block-by-block basis.

10. The method of claim 9, wherein the performing of the symbolic execution operation on the taint path symbolized on a block-by-block basis comprises, when a search time for the block to be searched exceeds a preset threshold time or a search frequency of the block exceeds a preset threshold frequency while the block is searched along the taint path, stopping searching the block along the taint path and continuing searching a subsequent block along the taint path to calculate state information of the subsequent block.

11. The method of claim 1, wherein the comparing of the block-specific state information resulting from the symbolic execution with the at least one preset vulnerable pattern to determine whether the block-specific state information corresponds to the compared preset vulnerable pattern comprises: registering an argument for a target variable as a symbol to determine whether the target variable to be searched for from a start point of the taint path to an end point reaches a preset vulnerable function; determining whether the symbol or another variable referring to the symbol reaches the preset vulnerable function; and when it is determined that the block-specific state information resulting from the symbolic execution represents that a user input value reaches a function for executing an instruction, determining that the block-specific state information corresponds to a first vulnerable pattern indicating a first vulnerability.

12. The method of claim 11, wherein the comparing of the block-specific state information resulting from the symbolic execution with the at least one preset vulnerable pattern to determine whether the block-specific state information corresponds to the compared preset vulnerable pattern further comprises: determining whether a sign bit of at least one variable in the block is changed during a runtime on the basis of the block-specific state information resulting from the symbolic execution; and if it is determined that a highest sign bit is changed, determining that the block-specific state information corresponds to a second vulnerable pattern indicating a second vulnerability.

13. The method of claim 12, wherein the comparing of the block-specific state information resulting from the symbolic execution with the at least one preset vulnerable pattern to determine whether the block-specific state information corresponds to the compared preset vulnerable pattern further comprises: searching a specific path from the start point of the taint path to the end point using a dynamic memory allocation function and a dynamic memory return function; and when state information resulting from the search represents that there are two frees in the specific search path, determining that the block-specific state information corresponds to a third vulnerable pattern indicating a third vulnerability.

14. A non-transitory, computer-readable recording medium on which a program for performing the method of analyzing a vulnerability in software installed on an Internet of things (IoT) device according to claim 1 is recorded.

15. A vulnerability analysis device for analyzing a vulnerability in software installed on an Internet of things (IoT) device, the vulnerability analysis device comprising: a communication unit configured to acquire a target binary file extracted from firmware of the IoT device; a taint analysis unit configured to generate a taint path by performing taint analysis on the target binary file and generate transmission information related to the taint path; and a vulnerability analysis unit configured to detect a vulnerability in the target binary file by performing symbolic execution on the target binary file on the basis of the taint path and the transmission information, wherein, to perform symbolic execution on the target binary file and analyze the vulnerability of the target binary file, the vulnerability analysis unit is further configured to: divide the generated taint path into blocks, perform symbolic execution on the generated taint path on a block-by-block basis based on the transmission information related to the taint path to calculate state information of each block of the taint path; analyze block-specific state information to determine the vulnerability of the target binary file; compare the block-specific state information resulting from the symbolic execution with at least one preset vulnerable pattern to determine whether the block-specific state information corresponds to the compared preset vulnerable pattern; and when the block-specific state information corresponds to the compared preset vulnerable pattern, determines that the target binary file of which the state information has been analyzed has the vulnerability.

16. The vulnerability analysis device of claim 15, wherein the taint analysis unit includes an instruction analyzer, an operation analyzer, and an atom analyzer to generate a tracking graph, the instruction analyzer processes the target binary file on an instruction-by-instruction basis to divide a processed instruction into a left term and a right term, transmits one of the divided left and right terms including an operator to the operation analyzer, and transmits the other of the divided left and right terms including no operator to the atom analyzer, the operation analyzer processes the left term or right term on an operation-by-operation basis to determine whether a left-or right-term component is an operator and transmits a term component which is not an operator to the atom analyzer, and the atom analyzer processes an argument in the processed instruction on an atom-by-atom basis to classify the argument as a variable or constant.